CS 5950/6030 Network SecurityClass 9 (W, 9/21/05)

Leszek LilienDepartment of Computer Science

Western Michigan University

[Using some slides prepared by:Prof. Aaron Striegel — at U. of Notre Dame

Prof. Barbara Endicott-Popovsky and Prof. Deborah Frincke — at U. WashingtonProf. Jussipekka Leiwo — at Vrije Universiteit (Free U.), Amsterdam, The

Netherlands]

2

Review of Class 8

Class 8 started with

Correction of example from Class 7

(columnar transp. cipher as a block cipher)

3

Symmetric andAsymmetric Cryptosystems (2b)

Asymmetric encryption = public key encryption (PKE) KE ≠ KD — public and private keys

PKE systems eliminate symmetric encr. problems Need no secure key distribution channel

=> easy key distribution

4

2D. DES (Data Encryption Standard)

Outline

2D.1. Background and History of DES

2D.2. Overview of DES

2D.3. Double and Triple DES

2D.4. Security of DES

5

2E. The Clipper Story (1)

... Or: How not to set up a standard

A scenario Only a single electronic copy of a corporation’s

crucial (and sensitive) document To prevent espionage, strong encryption used to

protect that document Only CEO knows the key CEO gets hit by a truck Is the document lost forever?

Key escrow (a depository) facilitates recovery of the document if the key is lost

[cf. J. Leiwo]

6

2F. AES

... Or: How to set up a standard

AES = Advanced Encryption Standard

Outline2F.1. The AES Contest

2F.2. Overview of Rijndael

2F.3. Strength of AES

2F.4. Comparison of DES and AES

7

2F.1. The AES Contest (1)

1997 – NIST calls for proposals NIST Criteria:

Unclassifed code Publicly disclosed Royalty-free worldwide Symmetric block cipher for 128-bit blocks Usable with keys of 128, 192, and 256 bits

1998 – 15 algorithms selected

(Nat’l Institute of Standards and Technology)

8

Class 8 ended here

9

Section 2 – Class 9 2. Introduction to Cryptology

... 2C. Making „Good” Ciphers ...

2C.4. Symmetric and Asymm. Cryptosystems — PART 2

2D. The DES (Data Encryption Standard) Algorithm ... 2E. The Clipper Story

2F. The AES (Advanced Encryption Standard) Algorithm 2F.1. The AES Contest

2F.2. Overview of Rijndael 2F.3. Strength of AES 2F.4. Comparison of DES and AES 2H. The Uses of Encryption 2H.1. Cryptographic Hash Functions – PART1

Class8

Class9

10

2F.2. Overview of Rijndael/AES

Similar to DES – cyclic type of approach 128-bit blocks of P # of iterations based on key length

128-bit key => 9 “rounds” (called rounds, not cycles)

192-bit key => 11 rounds 256-bit key => 13 rounds

Basic ops for a round: Substitution – byte level (confusion) Shift row (transposition) – depends on key length

(diff.) Mix columns – LSH and XOR (confusion +diffusion) Add subkey – XOR used (confusion)

11

2F.3. Strengths of AES

Not much experience so far (since 2001)

But: Extensive cryptanalysis by US gov’t and

independent experts Dutch inventors have no ties to NSA or

other US gov’t bodies (less suspicion of trapdoor)

Solid math basis Despite seemingly simple steps within rounds

12

2F.4. Comparison of DES & AES (1)

DES AESDate 1976 1999Block size [bits] 64 128Key length [bits] 56 (effect.) 128, 192, 256, or

moreEncryption substitution, substitution, shift, bitPrimitives permutation mixingCryptographic confusion, confusion,Primitives diffusion diffusionDesign open openDesign closed openRationaleSelection secret secret, but acceptedprocess public commentsSource IBM, enhan- independent Dutch

ced by NSA cryptographers

13

Comparison of DES & AES (2)

Weaknesses in AES? 20+ yrs of experience with DES eliminated fears

of its weakness (intentional or not) Might be naïve…

Experts pored over AES for 2-year review period

14

Comparison of DES & AES (3)

Longevity of AES? DES is nearly 30 yrs old (1976)

DES-encrypted message can be cracked in days

Longevity of AES more difficult to answer Can extend key length to > 256 bits (DES: 56)

2 * key length => 4 * number of keys Can extend number of rounds (DES: 16)

Extensible AES seems to be significantly better than DES, but..

Human ingenuity is unpredicatble!=> Need to incessantly search for better and better

encryption algorithms

15

2G. Public Key Encryption (PKE)

Recall: Two main types of cryptosystems: Classical (= symmetric) Public key (= asymmetric)

Outline

2G.1. Motivation for PKE

2G.2. Characteristics of PKE

2G.3. RSA (Rivest-Shamir-Adelman) Encryption

16

2G.1. Motivation for PKE (1)

So far - cryptosystems with secret keys

Problems: A lot of keys

o(n2) keys for n users (n * (n-1) /2 keys)— if each must be able to communicate with each

Distributing so many keys securely Secure storage for the keys

User with n keys can’t just memorize them

Can have a system with significantly fewer keys?

Yes!

17

Motivation for PKE (2) 1976 — Diffie and Hellman — new kind of cryptosystem:

public key cryptosystem = asymmetric cryptosystem Key pairs: < kPRIVATE, kPUBLIC> Each user owns one private key Each user shares the corresponding public key with n-

1 remaining users => n users share each public key

Only 2n keys for n users 2n = n * (1 + n * 1/n) Forget the in-class „correction.” We go back to this original equation,

since public key is shared by n people: 1 „owner” + (n-1) others = n

Even if each communicates with each Reduction from o(n2) to o(n) ! n key pairs are:

<kPRIV-1, kPUB-1 >, <kPRIV-2, kPUB-2>, ..., <kPRIV-n, kPUB-n>

18

2G.2. Characteristics of PKE (1)

PKE requirements1. It must be computationally easy to encipher or

decipher a message given the appropriate key

2. It must be computationally infeasible to derive kPRIV from kPUB

3. It must be computationally infeasible to determine kPRIV from a chosen plaintext attack

[cf. Barbara Endicott-Popovsky, U. Washington]

19

Characteristics of PKE (2)

Key pair characteristics

One key is inverse of the other key of the pair i.e., it can undo encryption provided by the

other: D(kPRIV, E(kPUB, P)) = P D(kPUB, E(kPRIV, P)) = P

One of the keys can be public since each key does only half of E ”+” D

As shown above – need both E and D to get P back

20

Characteristics of PKE (3) Two E/D possibilities for key pair <kPRIV, kPUB >

P = D(kPRIV, E(kPUB, P)) User encrypts msg with kPUB (kPUB” ”locks”) Recipient decrypts msg with kPRIV (kPRIV ”unlocks”)

OR P = D(kPUB, E(kPRIV, P)) (e.g., in RSA)

User encrypts msg with kPRIV (kPRIV ”locks”) Recipient decrypts msg with key kPUB (kPUB

”unlocks”)

Do we still need symmetric encryption (SE) systems? Yes, PKEs are 10,000+ slower than SEs

PKEs use exponentiation – involves multiplication and division SEs use only bit operations (add, XOR< substitute, shift) – much

faster

21

2G.3. RSA Encryption (1)

RSA = Rivest, Shamir, and Adelman (MIT), 1978

Underlying hard problem: Number theory – determining prime factors of a

given (large) number (ex. factoring of small #: 5 5, 6 2 *3)

Arithmetic modulo n

How secure is RSA? So far remains secure (after all these years...) Will sb propose a quick algorithm to factor large

numbers? Will quantum computing break it? TBD

22

RSA Encryption (2)

In RSA:P = E (D(P)) = D(E(P)) (order of D/E does not matter) More precisely: P = E(kE, D(kD, P)) = D(kD, E(kE,

P))

Encryption: C = Pe mod n KE = e Given C, it is very difficult to find P without

knowing KD

Decryption: P = Cd mod n KD = d

23

2H. The Uses of Encryption

PKE is much slower than SE (symmetric E) PKEs only for specialized, infrequent tasks SEs – a real workhorse

Four applications of encryption (& outline) Cryptographic Hash Functions (subsec.

2H.1) Key Exchange (subsec. 2H.2) Digital Signatures (subsec. 2H.3) Certificates (subsec. 2H.4)

24

2H.1. Cryptographic Hash Functions (1)

Integrity: How can you be sure that a recived msg/doc was

not modified by an attacker or malfunction? Answer: use cryptography to ensure integrity

Idea: Wax seals on letters in Middle Ages

— easy to see if broken Cryptographic „seal” on doc/msg

— so that any change to it will be readily detected

25

Cryptographic Hash Fcns (2)

A technique:compute a hash fcn / checksum / msg digest

More formally: Problem: How to send n-bit msg so that R can

easily verify that it is intact

Solution: Send a msg of n+k bits n bits — original msg k bits — checksum = msg digest

Generated based on the n bits

26

Cryptographic Hash Fcns (3)

Simple Parity for Error Detection (1)

Simple (non-cryptographic) technique: parity Add a single parity bit to detect if a message is

correct Example 1: odd parity

Force the block of data to have an odd # of 1’s Data = 1011 — n = 4 Sent block = 10110 — n+k = 4+1

— looked at ‘1011’, added 0 to have odd # of 1’s Data = 0110 Sent block = 01101

— looked at ‘0110’, added 1 to have odd # of 1’s

Example 2: ASCII parity bit ASCII has 7 bits for data, 8th bit is single parity

bit Either odd or even parity used

[cf. A. Striegel, U. Notre Dame]

27

How parity enhances msg integrity? Can detect error in 1 bit (or in odd # of bits)

e,.g, if R gets 01001, R knows it’s wrong(S sent 01101)

Cannot detect error in 2 bits (or in even # of bits) Bec. parity stays OK -> undetectable integrity

violation e.g, if R gets 01011, R knows it’s wrong

(S sent 01101)

Cannot repair errors either E.g., R doesn’t know which bit in 01001 is wrong

[cf. A. Striegel, U. Notre Dame]

Cryptographic Hash Fcns (4)

Simple Parity for Error Detection (2)

28

Cryptographic Hash Fcns (5)

Better Checksums against Errors & Attacks

There are better checksums than simple odd/even parity Can detect multiple errors Can even repair multiple errors

These checksums are to fix errors, not deal with attacks

For attacks needcryptographic checksums / strong hash functions

29

Cryptographic Hash Fcns (6)

Strong Hash Function Formal definition:

strong hash function (cryptographic checksum) is h: A -> B such that:

1) For any x A, h(x) is easy to compute2) For any y B, it is computationally infeasible to

findinverse of y, i.e., x A such that h(x) = y

3) It is computationally infeasible to find a pair of colliding input values, i.e. x, x’ A such that x ≠ x’ and h(x) = h(x’)Alternate (stronger) form for (3):Given any x A, it is computationally infeasible to

findx’ A such that x ≠ x’ and h(x) = h(x’)

Due to (1) and (2), hash fcn is a one-way function[cf. A. Striegel, U. Notre Dame, Barbara Endicott-Popovsky, U. Washington]

30

Cryptographic Hash Fcns (7)

Collisions & Attacks on Msg Integrity (1)

Note: n bits of msg (x) mapped into k bits of its checksum

(y) k < n => collisions must exist But it is computationally infeasible to find collisions

for good hash fcns

Goal of a successful attack on msg integrity: Change msg1 in such a way that checksum remains

unchanged (so R doesn’t detect the forgery) I.e., find msg2 that collides with the original msg1

w.r.t. checksum value Finding msg2 is computationally infeasible (for good

hash)

=> forging msg1 undetectably is computationally infeasible

[cf. A. Striegel, U. Notre Dame]

31

Pigeonhole principle n containers for n+1 objects (n pigeonholes for n+1

pigeons)=> at least 1 container will hold two objects

Example: length(msg) = 5, length(hash)= 3 25=32 possible msgs vs. 23=8 possible hash values

=> at least 4 (= 32/8) different msgs hash into the same value (collisions!)

Real msgs and hash values are much longer than 5 or 3 bits!We know that collisions exist but:=> much tougher to find collisions=> much tougher to forge them

[cf. A. Striegel, U. Notre Dame]

Cryptographic Hash Fcns (8)

Collisions & Attacks on Msg Integrity (2)

32

Cryptographic Hash Fcns (9)

File Checksum File checksum

Calculated, a fcn defined on all bits of the file Result encrypted and stored with the file Each time file used by legitimate users,

checksum recalculated, encrypted, stored with the file

File sent to R When file received by R:

R decrypts checksum c1 received in the file R independently calculates file checksum c2 If c1 = c2 => file integrity is OK Otherwise – file integrity violated

33

End of Class 9